RDP Issue – CredSSP Encryption Oracle Remediation

Introduction

We have recently had some issues accessing a few client servers and found it is related to a Windows security update that was released earlier in May 2018. The problem is when you try to RDP to a server you can receive an error similar to this:

An authentication error has occurred.
The function requested is not supported

Remote computer:
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

RDP error received

The error is the result of an update, Common Vulnerabilities and Exposures CVE-2018-0886, being applied to the client machine and not the target servers (the client’s production servers). This update will adjust the configuration of the credentials delegation on the system. It changes the configuration from vulnerable to mitigated which, if you are on a system that is set to a lower configuration, causes RDP access to be blocked.

CVE Details

This update applies to Windows 7 and up for desktop and Windows Server 2008 and higher.

In Windows Server 2016 and 2012 R2, we found this update included in the May rollup update. The following are the two KB links for Windows 8.1 up to Windows Server 2016. If these get applied to your Windows 8.1 or Windows 10 desktop and not the servers, you will lose RDP access:

Resolution

The end result is to apply the update to all of the target servers to ensure the security vulnerability is patched properly. If you utilize any management system for Windows Update (e.g. WSUS) you can push the update to the specific targets using that service. The update will require a reboot of the target server before it is applied.

An interim approach is to set the Credential Delegation back to vulnerable on your workstation and this will open access back until you can apply the same patch to your servers.

Change Credential Delegation to Vulnerable

You will need to do this logged in as a domain account that has elevated privileges on the workstation or server. Open a run prompt (Windows Key + R) and enter gpedit.msc. Go to Computer Configuration > Administrative Templates > System > Credentials Delegation:

Credential Delegation policy

Open the setting “Encryption Oracle Remediation,” then select “Enabled” and set the “Protection Level” to “Vulnerable”:

Protection Level to Vulnerable

Once you click OK you will then be able to RDP to the target servers again.

Add Registry Key

If you are not able to access Group Policy editor on the source/client machine you can simply add a registry key to perform the same task as above to temporarily regain access to your servers.

Post Patch Deployment

Once you have pushed the patch out to the servers you will need to “unconfigure” the Group Policy. Simply go back into that setting and select “Not Configured” and click OK. You will then regain access to all the servers again.

If you used the registry option you can remove the registry key created using the following command:

About the Author

Microsoft Cloud and Datacenter Management MVP, Shawn has a knack for automating mundane task where IT staff can focus on more business critical issues and task. He has been recognized for his skills in PowerShell and has a broad knowledge of technology around Microsoft's Data Platform and various Cloud providers.

PYTHIAN®, LOVE YOUR DATA®, and ADMINISCOPE® are trademarks and registered trademarks owned by Pythian in North America and certain other countries, and are valuable assets of our company. Other brands, product and company names on this website may be trademarks or registered trademarks of Pythian or of third parties. Use of trademarks without permission is strictly prohibited.